Nation-states are spying on and attempting to steal companies’ intellectual property by infiltrating managed service providers’ (MSP’s) networks, according to a U.S. government security alert.
The U.S. Department of Homeland Security (DHS) Computer Emergency Readiness Team (CERT) yesterday issued a warning that says attempts to exploit MSP networks have been ongoing since May 2016. MSP customers — especially IT, energy, healthcare, communications, and manufacturing companies — are the end target for these attacks.
Using an MSP creates a larger attack surface for nation-states and criminals. Once they gain access to MSP networks, they can move between an MSP and its customers’ shared networks. Bidirectional movement between networks allows hackers to more easily avoid detection and maintain their network presence.
Threat actors are using stolen credentials and pre-installed system tools, such as command line scripts, to gain access to MSP networks, the alert says. And once the hackers are on the network, they can spy on companies, or steal sensitive or proprietary data, and disrupt business operations.
While the new alert doesn’t specifically link the MSP threat to Chinese state-sponsored hackers, it says the MSP network threat is related to activity that the DHS warned companies about in April 2017. Security researchers linked that threat to Chinese hacking group APT10, also known as Stone Panda.
Brandon Levene, head of applied intelligence at Alphabet’s security company Chronicle, said in an email to SDxCentral that the new MSP threat is related to APT10.
“This is a pretty common-sense target to go after for espionage purposes,” Levene said. “Many organizations outsource some portion of their cybersecurity operational capabilities to external organizations, and these external organizations are prime targets for one stop shopping. Imagine being able to compromise one target and in so doing compromise all of the cyber security events of their clients. By necessity, infrastructure is commonly in place, which allows these third parties some level of access to their clients’ networks, which represents an absolute gold mine for APTs looking to make inroads to target organization networks. Additionally, these connections are usually not heavily monitored, and activity associated with them is typically considered ‘benign’ by default.”
The MSP networks alert also comes as a Bloomberg report alleges the Chinese government inserted tiny malicious chips into Supermicro servers used by Amazon, Apple, and about 30 other large American companies. Amazon and Apple deny the report.
How to Manage Risk
“Restricting access to networks and systems is critical to containing an APT actor’s movement,” the DHS alert says. APT stands for advanced persistent threat.
The DHS recommends using a dedicated virtual private network (VPN) for MSP connections and limiting access to and from the VPN to only those networks and protocols needed for service. It also recommends enabling logging on all network systems and devices and sending these logs to a central location. Additionally, central log services should be isolated from the internet and network environment.
The DHS also suggests several operational controls to improve network security such as creating a baseline for system and network behavior. This allows security teams and network administrators to identify what’s normal for these systems. It’s also important to review privileged account groups weekly and disable inactive accounts.